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TITLE OF THE INVENTION 

Method of and System for Making Purchases Over a Computer Network 

BACKGROUND OF THE INVENTION 

5 1 . Field of the Invention 

The present invention generally relates to a method of and system for making 
purchases over a computer network and, more particularly, to a method of and system for 
making purchases of goods and services over the Internet or other non-secure computer 
network using an automated-teller-machine (ATM) card, debit card or any other card which 
10 may require a valid personal-identification-number (PIN) for transaction authorization. 

2. Description of the Prior Art 

The use of personal computers by consumers to purchase goods and services over the 
Internet via the World Wide Web and e-mail has become very popular in recent years and 

15 constitutes an ever-increasing part of the economy. In making a purchase over the Internet, 
the typical consumer uses a credit card or ATM card. After making his purchase selection, 
the consumer transmits his card information over the Internet to the on-line merchant. The 
on-line merchant then contacts the issuing bank to verify the card information and obtain 
authorization to complete the transaction. Depending on the response from the bank, the on- 

20 line merchant either accepts or rejects the purchase. 

Because the Internet is a non-secure (i.e., public) network, there is a danger that the 
consumer's credit card or ATM card information will be intercepted by a third party. If that 
third party is dishonest, he can make illegal charges to the credit card or, in the case of an 
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ATM card, remove money directly from the consumer's bank accoimt. In recent years, 
numerous approaches have been implemented to reduce this security risk. The most popular 
approach has been sophisticated encryption techniques v^hich render the credit card or ATM 
card data virtually unreadable to third parties, such as 128-bit secure-sockets-layer (SSL) 
5 encryption. 

When making purchases over the Internet using an ATM card, however, security 
considerations take on an added importance because, unlike with transactions at ATM 
machines, PINs are presently not used in ATM transactions on the Internet. Thus, should the 
ATM card nximber fall into the hands of an unscrupulous third party, the card-holder's entire 

1 0 bank account can be wiped out through fraudulent Internet transactions. 

One way to overcome this problem is to require the use of PINs in ATM transactions 
on the Internet. This has not been possible to date, however, because on-line merchants do 
not have the ability to verify PINs. Additionally, it is not desirable to provide the on-line 
merchant with both the ATM card number and the corresponding PIN since unscrupulous 

1 5 employees of the on-line merchant can use the PIN to illegally access the card-holder's bank 
account and withdraw money therefrom. 

Accordingly, it is an object of the present invention to provide a new method of and 
system for making purchases over the Internet using an ATM card wherein a valid PIN is 
required in order to obtain authorization for a given transaction. It is another object of the 

20 present invention to provide a new method of and system for making purchases over the 
Internet using an ATM card wherein a valid PIN is required in order to obtain authorization 
for a given transaction, and wherein the PIN is not supplied to the on-line merchant. 
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SUMMARY OF THE INVENTION 

In accordance with a first aspect of the present invention, a method of making 
piirchases over a non-secure computer network using an ATM card is provided. In 
accordance with said method, a consumer transmits his ATM card number over the network 
5 to an on-line merchant. The on-line merchant then forwards the ATM card number to a third 
party contractor, such as a bank, that will oversee and authorize the transaction. 
Simultaneously or thereafter, the consumer transmits his PIN over the network to the third 
party contractor, bypassing the on-line merchant. Having both the ATM card number and the 
PIN, the third party contractor verifies that the ATM card number and PIN are correct, 

10 checks for sufficiency of funds, and either authorizes or denies the transaction. The 

authorization or denial is communicated to the on-line merchant over the network, who either 
completes or rejects the purchase and so notifies the consumer. 

In accordance with a second aspect of the present invention, a system for making 
purchases over a non-secure computer network using an ATM card is provided. The system 

15 includes first, second and third computers connected to a computer network. The first 
computer transmits the consumer's ATM card number over the network to the second 
computer, which is operated by or for the on-line merchant. The second computer forwards 
the ATM card number over the network to the third computer, which is operated by or for the 
third party contractor. Simultaneously or thereafter, the first computer transmits the 

20 consumer's PIN over the network to the third computer, bypassing the second computer. The 
third computer then verifies that the ATM card number and PIN are correct and that there are 
sufficient fimds in the bank account to cover the transaction amount. The third computer 
then transmits the results of the verification procedure to the second computer, which 
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forwards the results to the first computer. Depending on the verification results, the purchase 
is either completed or rejected. 

The present invention will now be described in detail, with frequent reference being 
made to the drawings identified below. 

5 

BRIEF DESCRIPTION OF THE DRAWINGS 

In the accompanying drawings: 

figure 1 is a schematic diagram of the system in accordance with the present 
invention; 

10 figure 2 is a flow chart which illustrates how the system of figure 1 operates; 

figure 3 shows a possible graphical user interface which can be used to enable the 
consumer to enter and transmit his PIN to the third party contractor; 
figure 4 is a diagram which summarizes the present invention; 
figures 5(a) - (d) show a computer program which can be used to format the data 
1 5 package sent from the second computer to the third computer in ISO 8583 format; and 

figures 6(a) - (f) show a computer program which can be used by the third computer 
to synchronize the data packages received from the first and second computers. 

DESCRIPTION OF THE PREFERRED EMBODIMENT 

20 The system 1 0 in accordance with the present invention is schematically shown in 

figure 1. The system 10 includes a first computer 12 at a consumer location 14, a second 
computer 16 at an on-line merchant location 1 8, and a third computer 20 at a third party 
contractor location 22. The three computers 12, 16, 20 are connected together over a 
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computer network 24 which, for purposes of this discussion, is the Internet, although the 
present invention may be practiced on any computer network. As those of ordinary skill in 
the art know, the Internet 24 is a complex and amorphous computer network that comprises 
thousands of nodes and components and over which signals are transmitted by telephone 
5 lines, satellites and optical fibers. 

The first computer 12, which will generally be located at the consumer's home or 
business (consimier location 14), will typically be a conventional personal computer (PC) 
that includes a chassis that houses a central processing unit (CPU) and supporting circuitry, 
as well as a floppy drive, a hard drive and an internal modem. Connected to the CPU 

10 through the chassis are a keyboard, a mouse and a monitor. The keyboard and mouse are 
used by the consumer to control the operation of the first computer 12 and to input 
information into the first computer 12. The first computer 12 will usually be coupled to the 
Internet via a telephone line connected to the modem, although the computer can be 
connected to the Internet via a high speed data transmission line. The consumer will 

1 5 typically connect to the Intemet using an Internet service provider, such as Erols'^^ or 
America OnLine™, but may have a direct connection to the Intemet. 

Although a conventional PC will typically be used by the consumer, the consumer 
may use any type of computer that can be connected to the Intemet, including a work station 
on a local area network, and any operating system. The particular details of the first 

20 computer 12 are largely irrelevant to the present invention. The first computer 12 merely 
serves as a convenient interface for the consumer to place orders for goods and services over 
the Intemet. 
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Next shown in figure 1 is the second computer 16 which is located at the on-line 
merchant location 18. The second computer 1 6 will preferably be a more powerful machine 
than a personal computer, such as a workstation, although a personal computer may also be 
used by the on-line merchant. Again, the particular details of the second computer 16 are 
5 largely irrelevant to the present invention. 

Typically, the second computer 16 will be a Web server (a computer that provides 
direct access to the World Wide Web on the Internet and includes the necessary hardware, 
operating system, Web server software, TCP/IP protocols and Web site content) owned and 
operated by the on-line merchant or by an Internet service provider v^th whom the on-line 
1 0 merchant has contracted. For purposes of this discussion, the on-line merchant location 1 8 
refers to the location of the second computer 16, and not necessarily the actual physical 
location of the on-line merchant. 

Preferably, the second computer 16 will be running Windows NT™ 4.0, using 
Internet Information Server™ 4.0 and Commerce Server™ 3.0. The CPU of the second 
1 5 computer 16 must have acceptable power and should have at least 64 megabytes of RAM. 

The second computer 16 will typically have an on-line catalog in memory which can 
be accessed and browsed by the consumer over the Internet 24 through an appropriate 
graphical use interface (GUI) supplied by the on-line merchant. 

Next shown in figure 1 is the third computer 20 which is located at the third party 
20 contractor location 22. The third party contractor is an independent, insured organization, 
such as a bank, that has contracted with the on-line merchant to provide ATM services. 
Although the third computer 20 can be a personal computer, as with the second computer 16 
it will preferably be a much more powerful machine, such as a workstation. The third 
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computer 20 is likewise preferably a Web server owned and operated by the third party 
contractor or by an Internet service provider with whom the third party contractor has 
contracted. The third party contractor location 22 refers to the location of the third computer 
20 and not necessarily the actual physical location of the third party contractor. As with the 
5 first and second computers 12, 16, the particular details of the third computer 20 are largely 
irrelevant to the present invention, so long as the third computer 20 is capable of performing 
the functions described herein. Preferably, the third computer is Compaq ProLiant'^^ server 
running at 500 MHZ with 128 MB RAM and using Windows NT™ 4.0. 

The flow chart 26 provided in figure 2 illustrates how the system 10 operates. As 

10 shown in block 28, the consumer initially establishes a connection over the Internet between 
the first computer 12 and the second computer 16 by accessing the on-line merchant's Web 
site using a commercially available browser, such as Intemet Explorer'^^ or Netscape 
Navigator'^^. Then, as shown in blocks 30 and 32, using a GUI supplied by the on-line 
merchant, the consumer browses the on-line catalog, selecting which goods and/or services 

15 he wishes to purchase. Once the consumer makes his selection and is ready to place an 
order, the consumer transmits a purchase order message over the Intemet to the on-line 
merchant (block 34). 

The consimier is then prompted for his payment information, as indicated in block 36, 
which for purposes of the present discussion is an ATM card number and expiration date, 
20 although the payment information can include additional data such as the consumer's name 
and address. The consumer then transmits his payment information over the Intemet to the 
on-line merchant, as indicated in block 38. As used herein, the term "ATM card" includes 
bank cards, debit cards and any other cards for which the issuing bank or organization may 
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require a valid PIN for use. The payment information is transmitted over the Internet using 
an encrypted connection, such as 128-bit encryption SSL. 

When the on-line merchant receives the ATM card number, or earlier, the second 
computer 16 creates a unique session identifier by combining the consumer's IP address, 
5 which uniquely identifies the consumer, vvdth a date/time stamp. The ATM card number is 
then forwarded, or echoed, over the Intemet by the second computer 16 to the third computer 
20 at the third party contractor location 22 (block 40), along with the unique session 
identifier, a merchant id which uniquely identifies the on-line merchant, a terminal id which 
identifies the terminal being used by the on-line merchant, the expiration date of the ATM 

10 card and the purchase price. This data package is stored in memory on the third computer in a 
queue. Once again, 128-bit encryption SSL is preferably used. 

The data package transmitted by the second computer 16 to the third computer 20 is 
transmitted in ISO 8583 format. ISO 8583 is a messaging standard established by the 
International Standards Organization for financial transaction card oriented messages which 

1 5 is used by all banks and credit card companies and which is well known to those of ordinary 
skill in the art. A sample computer program written in Java which creates the unique session 
identifier and formats the data package in ISO 8583 format is provided in figure 5. This 
program is designed to run as an Active Server Page on Intemet Server 4.0 under Windows 
NT 4.0, although the program can be used on other platforms and programming 

20 environments, and can readily be implemented by one of ordinary skill in the art. 

Simultaneously or soon thereafter, the second computer executes a hyperlink to the 
third computer and the consumer is prompted by the third computer to input his PIN (block 
42). The consumer inputs his PIN into the first computer 12 and transmits it over the Intemet 
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to the third computer 20 (block 44). The connection between the first computer 12 and third 
computer 20 is encrypted and independent of the connection between the first computer 12 
and the second computer 16 so that the on-line merchant is never in possession of the PIN. 
As with the second computer 16, the first computer 12 transmits the unique session identifier, 
5 the merchant id, the terminal id, the expiration date of the ATM card and the purchase price 
to the third computer 20 along with the PIN in a data package. 

Figure 3 shows a typical GUI 46 which may be supplied by the third-party contractor 
and which pops up on the consumer's screen to allow the consumer to enter his PIN and 
transmit it to the third party contractor. As is clear from figure 3, the GUI 46 emulates an 

10 actual ATM machine and includes a simulated key pad 48 and a screen 50. The screen 50 
indicates the on-line merchant's name and mailing address 52 and the purchase price 54. 
Using his mouse, the consumer inputs his PIN, as shown by the series of dots 56. By 
pressing the SUBMIT button 58, the PIN number is transmitted to the third party contractor. 
If the consumer makes a mistake, he presses the CLEAR button 60 and re-types his PIN. If 

1 5 the consumer needs help from the third party contractor, he simply presses the HELP button 
62, which causes a help menu provided by the third party contractor to pop up on the screen, 
which may then be navigated by the consumer. 

The third computer 20 next verifies that the ATM card number and PIN are valid 
(block 64). Because the third-party contractor may be overseeing multiple transactions at 

20 any given time, the third computer 20 must synchronize the data packages received from the 
first and second computers 12, 16. To do this, the third computer 20 matches the unique 
session identifier, the merchant id, the terminal id, the expiration date of the ATM card and 
the purchase price fields contained in the data packages received from the first and second 
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computers 12, 16. A sample computer program for synchronizing the messages received 
from the first and second computers 12, 16 is provided in figure 6. The program is written in 
C++ and can readily be implemented by one of ordinary skill in the art. All of the forgoing 
data fields must match in order for the transaction to take place. For security reasons, a two 
5 minute window for matching is preferably implemented. If there is no match within the two 
minute window, the transaction is aborted. 

Once the data packages from the first and second computers 12, 16 are synchronized 
by the third computer 20, the third computer checks the ATM card number and PIN. If the 
ATM card number and PIN are invalid, the third computer 20 so informs the second 

10 computer 16 and the on-line merchant rejects the purchase order and notifies the consumer 
(block 66). If the ATM card number and PIN are valid, the third computer 20 checks to see 
whether there are sufficient fimds to cover the purchase price 56 (block 68). If there are 
sufficient fimds in the accoimt, the third computer transmits an authorization message to the 
second computer, debits the consumer's account, the purchase is completed and the consumer 

15 is notified (block 70). If there are insufficient fimds, a rejection message is transmitted, the 
on-line merchant rejects the purchase and the consumer is notified (block 72), 

If the ATM card was issued by the third party contractor, the verification steps 
(blocks 64 and 68) may be done by simply accessing an intemal database in or connected to 
the third computer 20. If, however, the ATM card was issued by another bank, then the third 

20 party contractor must verify the card information by contacting the issuing bank, either 

directly over a secure line, through a private ATM network, such as CIRRUS, or through any 
other available avenue. 
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The present invention is briefly and concisely summarized in figure 4. First, the 
consumer (first computer) transmits his ATM card number over the network to the on-line 
merchant (second computer) (block 74). Second, the on-line merchant forwards the ATM 
card number over the network to the third party contractor (third computer) (block 76). 
5 Third, the consumer transmits his PIN over the network to the third party contractor (block 
78). As figure 4 indicates, the on-line merchant is completely bypassed and never receives 
the PIN. Fourth, the third party contractor verifies the ATM card number and PIN and 
checks for sufficiency of funds (block 80). Fifth, the third party contractor transmits the 
results of the verification process over the network to the on-line merchant (block 82). And 

1 0 sixth, the on-line merchant forwards the results over the network to the consumer, either 
completing or rejecting the purchase, depending on the verification results (block 84). 

Thus, in accordance with the foregoing the objects of the present invention are 
achieved. Modifications to the present invention would be obvious to those of ordinary skill 
in the art, but would not bring the invention so modified beyond the scope of the appended 

15 claims. 
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CLAIMS 



What is claimed is: 

1 . A method of making purchases over a computer network using a first number that 
identifies a consumer's account from which funds will be withdrawn to pay a purchase price 
and a second number associated with said first number which, when used with said first 
number, enables withdrawal of fimds from said account, said method comprising the steps of: 

5 transmitting said first number over said network from a consumer location to an on- 

line merchant location; 

forwarding said first number over said network from said on-line merchant location to 
a third party contractor location; 

transmitting said second number over said network from said consumer location to 
1 0 said third party contractor location; and 

checking at said third party contractor location whether said first and second numbers 
are valid. 

2. The method according to claim 1 wherein said on-line merchant location is bypassed 
when said second number is transmitted from said consumer location to said third party 
contractor location. 

3. The method according to claim 1 wherein said first and second numbers are 
transmitted over said network via encrypted connections. 
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4. The method according to claim 1 wherein said network is the Internet, 

5. The method according to claim 1 including the additional step of checking at said 
third party contractor location whether said account has sufficient funds to cover said 
purchase price. 

6. The method according to claim 1 including the additional step of transmitting a signal 
from said third party contractor location to said on-line merchant location indicating whether 
said first and second numbers are valid. 

7. The method according to claim 5 including the additional step of transmitting a 
signal from said third party contractor location to said on-line merchant location indicating 
whether there are sufficient funds in said accoxmt to cover said purchase price. 

8. The method according to claim 1 including the additional step of transmitting a signal 
from said on-line merchant location to said consumer location indicating whether said 
purchase has been authorized. 

9. A system for making purchases over a computer network using a first number that 
identifies a consumer's account from which funds will be withdrawn to pay a pizrchase price 
and a second number associated v^th said first number which, when used with said first 
number, enables withdrawal of funds from said account, said system comprising: 
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a first computer at a consumer location, said first computer being connected to said 
network; 

a second computer at an on-line merchant location, said second computer being 
connected to said network; and 

a third computer at a third party contractor location, said third computer being 
connected to said network; 

wherein said first number is transmitted fi*om said first computer to said second 
computer over said network; 

wherein said first number is forwarded firom said second computer to said third 
computer over said network; 

wherein said second number is transmitted fi-om said first computer to said third 
computer over said network; 

and wherein said third computer checks whether said first and second nxambers are 

valid. 

1 0. The system according to claim 9 wherein said first computer bypasses said second 
computer when transmitting said second number to said third computer. 

1 1 . The system according to claim 9 wherein said first and second numbers are 
transmitted over said network via encrypted connections. 

12. The system according to claim 9 wherein said network is the Intemet. 
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13. The system according to claim 9 wherein said third computer checks whether said 
account has sufficient funds to cover said purchase price. 

14. The system according to claim 9 wherein said third computer notifies said second 
computer whether said first and second numbers are valid. 

15. The system according to claim 13 wherein said third computer notifies said second 
computer whether there are sufficient funds in said account to cover said purchase price. 

16. The system according to claim 9 wherein said second computer notifies said first 
computer whether said purchase is authorized. 
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ABSTRACT 

A method of and system for making purchases over a computer network using an 
ATM card or the like is provided. In accordance with the invention, a consumer transmits his 
ATM card number over the network to an on-line merchant. The on-line merchant then 
forwards the ATM card number to a third party contractor, such as a bank, that will oversee 
and authorize the transaction. Simultaneously or thereafter, the consumer transmits his PIN 
over the network to the third party contractor, who verifies that the ATM card number and 
PIN are valid. 
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CONSUMER TRANSMITS ATM 
CARD NUMBER TO ON-LINE 
MERCHANT 
1 



ON-LINE MERCHANT 
TRANSMITS ATM CARD 
NUMBER TO THIRD PARTY 
CONTRACTOR 



T 
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ON-LINE MERCHANT IS 
NOTIFIED, REJECTS 
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PIN 
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ON-LINE MERCHANT 
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THIRD-PARTY CONTRACTOR 
(THIRD COMPUTER) 



VERIFICATION 



FORWARD ATM 
CARD NUMBER 



import java.io.*; 
importjava.net.*; 
import java.utlL*; 



import j ava.util .Date ; 
import com.ms.com.*; 
import com.ms.asp.*; 



public class JRoute 



public Socket socSocket; 
int m_iTimeout=10000; 
J8583 msg = new J8583(); 

public int init(String input) 
{ 



//WAR DECLARATIONS 

int port=0,ok=0;//CONNECTION PORT,CHECKSUM 

String hostname="localhost";//DEFAULT 

DataOutputStream theOutputStream; 
int pamum=8; 
String strlnput==""; 

String ca^dNumbeI="^amount-"^expi^ydate='•^trannum="^tid=•'^mid-"^unique="^goAway=''' 



//////////////////f////////////////R£AD INI PARS 
StringTokenizer tkToken = new StringTokeni2er(input); 

hostname = tkToken.ncxtToken(); 

port = Integer.parseInt(tkToken.nextToken()); 

mJTimeout ^ lnteger,parseInt(tkToken.nextToken()); 



/////////////////////////////////// 



//CARD NEEDS TO BE SENT TO OKTOPUS 
//BUILD MSG 

msg.addField(2,cardNumber); 

msg.addField(4,amount); 

msg.addField(14,expirydate); 

msg.addField(37/l"); 
msg.addField(4i,tid); 
msg.addField(42,mid); 
msg.addField(6 1 ^unique); 

//CREATE SOCKET 

try 

{ 

socSocket = new Socket(hostname,port); 

socSocket.setSoTimeout(m_iTimeout); 

socSocketsetTcpNoDelay(true); 

} 

catch (UnknownHostException e) 
{ 



try{ 



retum(-4); //HOST NOT FOUND 



catch(IOException sockErr) 
{ 

retum(-3); 




catch(Exception all) 
{ 

retum(-2); 

} 

msg.sendData(soeSocket); 



} 

catch(Exception er) 
{ 

retum(-l); //SEND ERROR 

} 

retum(-l); 

} 

public int listenfordataO 
{ 

//8583 CLASS 

msg.receive(socSocket); 

try 

{ 

if(msg.decide(socSocket)=0) //APPROVAL 
{ 

try{ 

, retum(O); //ITS GOOD 

} 

catch(Exception any) 
{ 

retum(-2); //ERROR 

} 

} 

else 
{ 

retum(l); //DENIED 

} 

} 

catch(Exception e) 
{ 

retum(-3); //ERRROR 

} 

} 

} 

import java.io.*; 
importjava.net*; 

public class J8583 

^ private byte m_baOutD = new byte[1024]; //OUTGOING BUFFER 

private int m__baOutIndex=0; //O BASED INDEX OF FILLED BYTES 

private DataOutputStream m_dosData; 

private BufferedlnputStream m_bislnput; 

private int m_field[] = new int[30]; 

private String m_valueQ - new String[30]; 

public J8583() 
{ 

//CONSTRUCTOR 

} 

public void readFieldsQ 
{ 

intx=0; 

for(x=0;x<30;x++) 

System.out.prim(m_field[x]+"="+m_value[x]+"\n"); 

} 



public void addField(int field,String value) 
{ 

intxj; 

j = vaiue.lengthO; 

m_ba0ut[m_ba0utlndex] = (byte)fieid; 
m_baOutIndex-H-; 

for(x=0;x < j ;x++) //THE INDEX IS ONE HIGH TO LEAVE A NULL BETWEEN FIELDS 
m_baOut[x+m_baOutIndex] = (byte)value.charAt(x); 

m_ba0utlndex +=j+l;//RESET THE INDEX 

) 

public void sendData(Socket socLocal) 
{ 

try 

{ 

//SEND 

m_dosData = new DataOutputStream(socLocal.getOutputStream()); 
m_dosData.write(m_baOut,0,m_baOutIndex); 

) 

catch (UnknownHostException e) 
{ 

System.out.print(e); 
System.exit(O); 

} 

catch(IOException sockErr) 

{ 

System.out.print("Socket Connection: "+sockErr); 
System.exit(0); 

) 

catch(Exception all) 
{ 

System.ouLprint("Socket Error: "+all); 
System.exit(O); 

} 

> 

public String resolveFieldValue(int fieldNumber) 
{ 

int x=0; 

for(x=0;x<30;x++) 

if(m_field[x]=fieldNumber) 
retum(ni_value[x]); 

retumC'"); 

} 

public void rieceive(Socket socLocal) 
{ 

try 

{ 

m_bislnput = new BufferedlnputStream(socLocal.getlnputStreamO); 

intk=l,index=0; 

byte hufU = new byte[1024]; 

m_bisInput.Tead(buC0,1024); 

for(k=0;k<30;k++)//INITIALIZE THE NULL STRINGS 
m_value[k]=""; 

k=l; 

m_field[index] = buflindex]; //FIRST FIELD MARKED BY FIRST BYTE 
while(k<1024) 

{ 

if(buf[k]!=0) 
{ 

m_value[index]+=(char)buf[k++] ; 

} 

else 

{ 



if(buf[k+l]=0)//END OF STREAM 

else 
{ 

index-H-; 

m_field[index] = buf[k+l]; 

// System.out.print("r+buf[k+i]+'T'); 

k+-2; 

} 



} 

catch(IOException err) 
{ 

//TIMEOUT 

//System.out.print((nTimeout)/1000+" Second Timeout"); 
try 

{socLocalxIoseO;} 

catch(IOException Error) { System.out.print("p"+Error); } 



> 

catch(Exception all) 
{ 

//MOST LIKELY A CLOSE ON IQ 
System.out.print("Netwoik Connection Closed " + all); 
//redirect(urlTimeout); 

} 

) 

public int decide(Socket socLocal) 
{ 

int k=0,indexM); 
byte pResuit=0; 

for(k=0;k<30;k++) 

if(in_field[k]=39)//GRAB PIN FIELD 

pResult=(byte)m_value[k]xharAt(0); 

try{socLocal.close();} 
catch(IOException e){} 

if(pResult=48)//0 IS APPROVED 
{ 

//System.out.printC'Thank You For Shopping At Electronic Paycheck"); 
retum(O); 

} 

else 
{ 

//System.outprint("Denied"); 

retum(l); 

} 



// webhostDlg.cpp : implementation file 

// 



^/include "stda&.h" 
^include "webhosth" 
^include "webhostDlg.h" 

#inc!ude <afxtempLh> // list 

#ifiidefTimeOut 
#defme TimeOut200 
#endif 

#defme TimerlD 0x4000 

#ifdef_DEBUG 

#defme new DEBUG_NEW 

#undefTHIS_FILE 

static char THIS_nLED =_FILE_; 

#endif 

lllllllllllllllllllllllfllfflllllllllllllllllll^ 

II CAboutDlg dialog used for App About 

class CAboutDlg : public CDialog 

{ 

public: 

CAboutDlgO; 

// Dialog Data 

//{ { AFX_DATA(CAboutDig) 
enum { IDD - IDD_ABOUTBOX }; 
//}}AFX_DATA 

// CiassWizard generated virtual function overrides 

//{ { AFX_VIRTUAL(CAboutDlg) 

protected: 

virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support 
//}}AFX_VIRTUAL 

// Implementation 
protected: 

//{ { AFX_MSG(CAboutDig) 
//}}AFX__MSG 

DECLARE_MESSAGE_MAPO 



CAboutDlg::CAboutDlgO : CDialog(CAboutDlg::IDD) 
{ 

//{ { AFX_DATA_INIT(CAboutDlg) 
//}}AFX_DATA_INIT 

} 

void CAboutDlg: :DoDataExchange(CDataExchange* pDX) 
{ 

CDialog: :DoDataExchange(pDX); 
//{ { AFX_DATA_MAP(CAboutDlg) 
//}}AFX_DATA_MAP 

} 

BEGIN_MESSAGE_MAP(CAboutDig, CDialog) 
//{ { AFX_MSG_MAP(CAboutDlg) 
// No message handlers 
//}}AFX_MSG_MAP 

END_MESSAGE_MAPO 

iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiim^ 

//CWebhostDlg dialog 

CWebhostDlg::CWebhostDlg(CWnd* pParent /*=NULL*/) 




: CDiaIog(CWebhostDlg::IDD, pParent) 

{ 

//{ { AFX_DATA_INIT(CWebhostDlg) 
m_m = 0; 
m_out = 0; 
ni_q = _T(""); 
//}}AFX_DATA_INIT 

// Note that Loadlcon does not require a subsequent Destroylcon in Win32 
m_hIcon = A6fGetAppO->LoadIcon(IDR_MAINFRAME); 

} 

void CWebhostDlg::DoDataExchange(CDataExchange* pDX) 
{ 

CDiaIog::DoDataExchange(pDX); 
//{ {AFX„DATA„MAP(C WebhostDIg) 
DDX_ControI(pDX, IDC_LST, mjst); 
DDX_Text(pDX, IDC_IN, mjn); 
DDX_Text(pDX, IDC_OUT, m_out); 
DDX_Text(pDX, IDC_Q, m__q); 
//}}AFX_DATA_^MAP 

} 

BEGIN„MESSAGE_MAP(CWebhostDlg, CDialog) 

//{ { AFX_MSG_MAP(CWebhostDlg) 

ON_WM_SYSCOMMAND0 

ON_WM_PAINT0 

ON_WM_QUERYDRAGICON() 

ON_WM_TIMER0 

//}}AFX_MSG_MAP 
END_MESSAGE_MAPO 

extern CWebhostApp theApp ; 
CWebhostDlg* pDlg ; 
char dbParam[256] ; 

# include <ep_init.h> 

# include <format.h> 

#define__STDC_ 

# include <d3des.h> 

EPsql sql ; 
Listener listener ; 
CList<Auth*,Auth*> Qa ; 
CList<EndPoint*,EndPoint*> Qe ; 

int matchF[]-{ 2,14,41,42,61,0 } ;//f61=umqueID,f44-"5A31 54050 18B44C4" 
unsigned char k&yUH 0x29, Oxda, 0x91, OxOb, 0x80, 0x9b, Oxfe, 0xd3 } ; 

CString sDebug ; 

void Listener: :OnAccept(int nErrorCode) { 
EndPoint* tmp=new EndPointQ ; 
if (Accept(*tmp)) tmp->initO ; else delete tmp ; 

} 

int EndPoint::respondO { 
const char *p ; 
char plct[1024],*s=pkt; 
inti,d[]-{ 35,43,47,48,52,62,102,103,0 } ; 
if (getType()=0) return 0 ; 
i-0 ; while (d[i]) { set(d[i],NULL) ; i++ ; } 
for(i=2; i<128; i++) 

{ if (p-get(i)) { *s=i ; strcpy(s+l,p) ; s+=strlen(p)+2 ; } } 
return Send(pkt,s-pkt) ; 

} 

int EndPoint::aging(int t) { 
if (t) { if (t==-l) sec- ; else sec=t ; } 
return sec ; 

} 



int EndPoint::match(M8583* m) { 
mtf,i=0; 

while (f=matchF[!-H-]) if (strcmp(ni->get(f),get(f))) return 0 ; 
return 1 ; 

} 

void EndPoint::initO { 
charbuf[32]; 
CString ipO ; 
UINT port ; 

BOOL nodeIay=TRUE ; 

SetSockOpt(TCP_NODELAY,&nodeiay,sizeof(BOOL),IPPROTO_TCP); 
sec=TimeOut ; Qe.AddTail(this) ; pDlg->m_in++ ; 
GetPeerName(ipO,port) ; ip=inet_addr(ipO) ; 
sprintf(buf/'Connect %08x",ip) ; pDIg->note(buf) ; 

} 

void EndPoint::reject(intcode) { 
charbufI32] ; 

sprintf(buf,"Reject%08x, code=%d",ip,code) ; pDIg->note(buf) ; sec=0 ; 
set(39,"100") ; set(44,buf+16) ; respondQ ; 

} 

void EndPoint::OnReceive(int nErrorCode) { 
Auth* a ; 

EndPoint* e=NULL ; 
POSITION posl,pos2; 
BOOL fi3]lTrans=TRUE ; 
short len,l,i,f ; 
const char* pp ; 

char *p,pin[24],pan[20],buf[1024],scodeD="1200", ofTsetD="0000" ; 
if (nErrorCode) { sec=0 ; return ; } 

len=Receive(buf,I020) ; buf[len]=0 ; p=buf ; setType(!200) ; *pin=l ; 
while (*p) { 

l=strlen(p) ; if ((*p=61)&&(l=2)&&(p[l]='A')) funTrans=FALSE ; 
if (set(*p,p+l,8)<I) { reject(*p) ; return ; } 
if ((*p--52)&&(I<14)) // clear PIN 

{ *pin=0 ; pin[l]=l-i ; strcpy(pin+2,p+l) ; memset(pin+I+l, 15,10) ; } 
p+=(l+l);// build PIN block 

} 

if ((PP=get(52))&&(stmcmp(pp,"F0r',3)=0)) { reject(52) ; return ; } 
i-0 ; while (f-matchF[i-H-]) if (get(f)=-=NULL) { i^:ject(f) ; return ; ) 
if (*pin=0) { // got clear PIN, build PAN block, update PIN block 

strcpy(pan,ofFset) ; stmcpy(pan+4,get(2)+strlen(get(2))-13,12) ; 

p-pin ; for (i=0; i<16; i++) ( *p=(*p^an[i])&15 ; p++ ; } 

for 0=0; i<8; i++) pin[i]=03in[i*2]«4)+pin[i*2+l] ; 

deskey(key,0) ; des((unsigned char*)pin,(unsigned char*)pan) ; 

for (i=0; i<8; i-H-) bin2hex(pin+i*2,pan[i]) ; pin[16]=0 ; set(52,pin) ; 

strcpy(buf,get(2)) ; strcat(buf,"=") ; strcat(buf,get(14)) ; 

strcat(buf,scode) ; strcat(buf,offset) ; set(35,buf) ; 
} // service code and offset hardcoded 
if (fullTrans) { 

pos2=Qe.GetHeadPositionO ; 
while (pos2) { 
posl=pos2 ; e=Qe.GetNext(pos2) ; 

if (!match(e)||(e=this)) e=NULL ; else { Qe.RemoveAt(posl) ; break ; } 

} 

} 

if(!fullTrans||fullTrans&&e) 

{ a=new Auth(this,e) ; Qa.AddTail(a) ; Qe,RemoveAt(Qe.Find(this)) ; } 
sprintf(buf,"Recv %08x %d, card=%s",ip,len,get(2)) ; pDlg->note(buf) ; 

} 

Auth::Auth(EndPoint* el, EndPoint* e2) { 
int i ; 

const char* p ; 
charf[16],dest[4]="N?"; 
e[0]=el;e[l]=e2;cp(*el); 
if (e2) { 



if (e2->getTypeO=1200) setType(1200) ; set(3,"000000") ; 

for (i=2; i<128; i++) if (p=e2->get(i)) set(i,p) ; 
} else { set(3,"300000") ; set(4,"000000000000") ; } 
if (fillMsg(*this,sql,dbParam,3)) // 1: BIN, 2: mid/tid 
{ el->reject(l) ; if (e2) e2->reject(l) ; setType(O) ; return ; } 
id=-K.pDlg->m_out ; pDlg->UpdateData(FALSE) ; 
set(37,itoa(idX10X8) ; pDig->m_ep.cp(*this) ; 
dest[l]-*(get(47)+l) ; pDlg->ni_ep.send(dest) ; 

} 

BOOL Auth::isActive() { 
if ((e[l]==NULL)||(e[0]->aging(0)>0)&&(e[l]->aging(0)>0)) return TRUE ; 
setType(O) ; return FALSE ; 

) 

Auth::-'AuthO { 
for (int i=0; i<2;i++) if(e[i]) 
{ e[i]->cp(*this) ; e[i]->respondO ; delete e[i] ; } 
setType(O) ; 

} 

liiiiiiiiiiiiiiiiiiiififiiiiwiiiiiim 

II CWebhostDlg message handlers 

BOOL CWebhostDlg: :OnInitDialog() 
{ 

CDialog: lOnlnitDialogO; 

// Add "About..." menu item to system menu. 

// IDM_ABOUTBOX must be in the system command range. 
ASSERT((IDM_ABOUTBOX & OxFFFO) = IDM_ABOUTBOX); 
ASSERT(IDM_ABOUTBOX < OxFOOO); 

CMenu* pSysMenu = GetSystemMenu(FALSE); 
if(pSysMenu !=NULL) 
{ 



CString strAboutMenu; 
strAboutMenu.LoadString(IDS_ABOUTBOX); 
if(!strAboutMenu.IsEmptyO) 

^ pSysMenu->AppendMenu(MF_SEPARATOR); 

pSysMenu->AppendMenu(MF_STRING, IDM_ABOUTBOX, strAboutMenu); 



// Set the icon for this dialog. The framework does this automatically 
// when the application's main window is not a dialog 



// TODO: Add extra initialization here 
charIP[256],name[4],title[i6] ; 
short TCPort,port; 

const char fmt[]="%s %hd %2s %s %hd %s" ; 

const char usage[]="Usage: webhost IP port name DBparam listenPort" ; 

if(sscanf(theApp.mJpCmdLine,fmtJP,&TCPort,name,dbParam,&port)<5) 

{ ::MessageBox(NULL,us^e,"Error'*,MB_OK) ; EndDialog(O) ; return FALSE ; } 

sprintf(title;'WebHost %s %d",name,port) ; SetWindowText(title) ; 

if (!listener.Create(port)) { 

::MessageBox(NULL,"Unable to create TCP/IP sockets.","Error",MB_OK) ; 

EndDialog(O) ; return FALSE ; 

} 

if (llistener.ListenO) { 
::MessageBox(NULL,"Network error.","Error",MB_OK) ; 
EndDialog(O) ; return FALSE ; 

} 

if (m_epxonnect(IPJCPort,name)) { 
::MessageBox(NULL,"Error connecting to EProute.","ErTor",MB_OK) ; 



SetIcon(m_hIcon, TRUE); 
Setlcon(m_hlcon, FALSE); 



// Set big icon 



// Set small icon 



EndDialog(0) ; return FALSE ; 




} 

pDlgpthis ; SetTimer(TimerID,1000,NULL) ; 

return TRUE; // return TRUE unless you set the focus to a control 

} 

void CWebhostDlg::OnSysCommand(UINT nlD, LP ARAM IParam) 
{ 

if ((nID & OxFFFO) = IDM_ABOUTBOX) 
{ 

CAboutDIg dlgAbout; 
digAbout.DoModaIO; 

} 

else 
{ 

CDialog::OnSysCommand(nID, IParam); 

} 

) 

// If you add a minimize button to your dialog, you will need the code below 
// to draw the icon. For MFC applications using the document/view model, 
// this is automatically done for you by the framework. 

void CWebhostDlg::OnPaintO 
{ 

if(IsIconicO) 
{ 

CPaintDC dc(this); // device context for painting 

SendMessage(WM_ICONERASEBKGND, (WPARAM) dcGetSafeHdcQ, 0); 

// Center icon in client rectangle 

int cxicon = GetSystemMetrics(SM_CXICON); 

int cylcon = GetSystemMetrics(SM_CYICON); 

CRect rect; 

GetClientRect(&rect); 

int X = (rectWidthO - cxicon + 1) / 2; 

int y = (rect.Height() - cylcon + 1) / 2; 

// Draw the icon 
dc.DrawIcon(x, y, mjilcon); 

} 

else 
{ 

CDialog::OnPaintO; 

} 

} 

// The system calls this to obtain the cursor to display while the user dr^s 

// the minimized window. 

HCURSOR CWebhostDlg-OnQueryDraglconO 

{ 

return (HCURSOR) m_hIcon; 

} 

void CWebhostDlg::OnTimer(UINT nIDEvent) 

// TODO: Add your message handler code here and/or call default 

Auth* a ; 
EndPoint* e ; 
POSITION posl,pos2; 
BOOL del=FALSE ; 
if (nIDEven1==TimerID) { 

pos2=Qe.GetHeadPosition() ; 

while (pos2) { 

posl=pos2 ; e=Qe.GetNext(pos2) ; 

if (e->agingO<l) { Qe.RemoveAt(posl) ; dei=TRUE ; delete e ; } 

} 

pos2=Qa.GetHeadPositionO ; 
while {pos2) { 
posl=pos2 ; a=Qa.GetNext(pos2) ; 



if (!a->isActive()) { Qa.RemoveAt(posl) ; del=TRUE ; delete a ; } 

} 

if (del) note(NULL); 
^ CDialog: :OnTimer(nIDEvent); 

} 

void CWebhostDlg::note(const char* s) { 
if(s) 

{ m_lst.AddString(s) ; if (mJst.GetCountO>14) m_lst.DeieteString(0) ; } 
m_q.Format("%d %d'\Qe.GetCountO,Qa.GetCountO) ; UpdateData(FALSE) ; 

} 

void On8583(short mXype, EPacket* ep) { 
int n,i ; 
char s[64] ; 
const char* p ; 
POSITION posl,pos2; 
Auth* a ; 

if ((mType=-I)||ep->niustExitO) { pDlg->EndDialog(0) ; return ; } 
if (mType) return ; // ignore other administrative messages 
ep->receive() ; if (ep->getType()=1430) return ; 
if (p=ep->get(37)) n=atoi(p) ; else return ; 
pos2=Qa.GetHeadPositionO ; 
while (pos2) { 

posl=pos2 ; a=Qa.GetNext(pos2) ; 

if (a->match(n)) { 

ep->set(37,NULL) ; for (i-2; i<128; i++) if (p=ep->get(i)) a->set(i,p) ; 
Qa.RemoveAt(posl) ; delete a ; pDlg->note(NULL) ; return ; 

} 

pDlg->note("reversal") ; ep->getType(s) ; memset(s+4;0U8) ; s[22]=0 ; 
if (p=ep->get(ll)) stmcpy(s+4,p,6) ; 
if (p==ep->get(12)) stmcpy(s+10,p,12) ; 
if (p=ep->get(32)) strcpy(s+22,p) ; 

ep->set(56,s) ; ep->setType(1420) ; ep->send(ep->getSender()) ; 

} 

/* 

sDebug.Format("") ; 

::MessageBox(NULL,sDebug,"Debug",MB_OK) ; 
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